Advertisment

Rebooting from a Cyber-Punch: Part 2

Take the staircase and not the elevator, as the old advice goes. But where’s the staircase?

author-image
Pratima Harigunani
New Update
ID

Pratima H

Advertisment

INDIA: Oh you meant that area where nicotine-addicts get some room to inhale stress-busting air? But it has so many cob-webs dear!

Righto! Once an emergency arrives (Part 1 spelled out that), it won’t allow time for usher-boys, valets, and definitely not for house-keeping to lead the way.

Your internal team should better know some navigation tips in advance. Ever heard about an evacuation-training?

Advertisment

The Fire Drill:

Do employees know how and when to report an incident? Who is responsible for conveying relevant messages to employees, partners, or customers? Like Forrester analysts outline; there are six main areas of the incident management life cycle: Risk analysis; Threat Analysis; Security Policy Mapping; Incident Response Policy, and wait: Testing, along with Review and Update.

John Kindervag, Josh Zelonis, and Heidi Shey from Forrester quip: "There’s a saying in DR: If you’re not finding problems when you test, you’re not testing thoroughly enough." It turns out it is quite critical to test your incident response plans before the incident.

Advertisment

"Testing validates response capabilities, trains the response team in its roles and responsibilities, and uncovers weaknesses or invalid assumptions in the plan. If you’re not testing, you’re simply not prepared. Also, after each test or incident, you should hold a debriefing, after which you update the plans." they stress quite precisely in a report.

The goal, as Keith Barker, CBT Nuggets' trainer, also underlines, is to have a drill as close to reality as possible. Just checking a box is not good enough in his reasoning. Trying to move a virtual system from one place to another or having an internal team surprise with a sudden attack is more like it.

Have a drill as close to reality as possible: Keith Barker, CBT Nuggets Have a drill as close to reality as possible: Keith Barker, CBT Nuggets

Advertisment

Of course, testing should not be based on assumptions and false negatives. All possible members and areas of the concerned part must be involved in testing. Do you know that 37 per cent of incidents are caused by configuration or human error? These can be avoided with proper monitoring, configuration management, and automation as the annual Network Barometer Report by Dimension Data figured out.

Now this is where heterogeneity can play an expected truant. As people invest in multiple shades of IT, sourcing elements from various vendors and weave their IT on multiple platforms; ensuring that everything can be tested seamlessly can be too much to ask.

Check with Vidit Baxi, Director - Technology, Lucideus, and he avers that this may not be easy. "But you don’t have to make it too complicated either. You just need a sufficiently-sized IT team to handle multiple sprawls of end-point devices, network devices or firewalls. Adequate training and certifications help there and many vendors support this mindset."

Advertisment

As to the realistic quotient of such drills, Barker assures that most of them are as close to reality as possible, when undertaken properly. "Of course, you cannot test everything, but at least try to identify critical business elements that will matter."

One can leverage a third-party penetration testing company to perform an assessment of security controls and detection capabilities.

Also, do not forget the auxiliary areas. The TalkTalk breach of 2015 is a good enough reference point to grasp the importance of corporate communication. Its CEO Dido gave quite an example of how both timing, and the content of communications surrounding the breach can be handled the wrong way.

Advertisment

Forrester surmises that knowing who is going to speak for the company and what message the company will deliver to customers, investors, and business partners is going to be a good strategic move. "Poor communication can increase customer frustration and irreparably damage your corporate reputation."

Detonating Downtime

Getting back to business has to happen in a swift way but the underlying struggle is quite a SloMo scenario.

Advertisment

Incidentally, what is easily forgotten or walked over is the part of not inadvertently destroying any forensic evidence in the process of quickly restoring the IT service. Training both directly-responsible and indirectly-involved employees about this slippery corner is a must.

2017 will be the final full year before the EU's General Data Protection Regulation (GDPR) is a legal requirement. Expect business costs going higher as new data protection controls are applied (Forcepoint’s 2017 predictions) 2017 will be the final full year before the EU's General Data Protection Regulation (GDPR) is a legal requirement. Expect business costs going higher as new data protection controls are applied (Forcepoint’s 2017 predictions)

Data is an important restoration ingredient here. Symantec cites some examples. Like Jilin Province Rural Credit Union that deployed a data protection solution and saw a 10-fold increase in number of systems backed up, 100 per cent recovery success and 99 per cent backup success rate, four weeks of backup data available on disk, with 75 per cent less administration time required, the company claims.

This is relevant all the more in light of the expectation that the China Banking Regulatory Commission requires credit unions to comply with certain requirements, including data protection and retention.

Core finance and accounting systems must be backed up regularly and the data must be stored off site at a disaster recovery (DR) facility. The Union still backs up critical data from the appliances to tape, but keeps four weeks of data on disk on the appliances to accelerate recovery by three to four hours.

Then there is the prospect of AI (Artificial Intelligence). The extreme speed, analytical superpowers and the resulting resilience could be just the props that systems need to stand back on at least one foot to start with.

Is correcting and repairing damage 'on the fly' a notion already there or is it still on its way? Barker lets on that the concept of dynamic fire-wall Cloud is in itself AI of sorts given its abilities of dynamic correlation. "There is lot of smart software out there and currently lot of intelligence in the Cloud with next-generation firewalls being used for dealing with botnets etc. Information from another part of the world can be dynamically added to this intelligent pool where heuristics can take over in guiding forth."

Vidit Baxi, Director - Technology, Lucideus sees it this way. "That’s how security should ideally shape into. AI could be a big thing and can speed things up, complementing the human element, equipping it with suitable powers."

And Once the Debris Settles....

Business restored? Breach vulnerability handled in a full-proof way with no resurgence possibility?

You think you can wipe that perspiration from the overhead and plop in a chair? Not yet, dear. Picking up the pieces after a storm is a heavy-lifting job.

Now is when your cyber-insurance, litigation and compensation wheels will have to get into the groove. Get ready for lawsuits, public, government agencies, partners and suppliers; and the tough cliffhanger question of whether or not to declare the breach. Because this can have consequences ranging from notifications, brand damage to compliance-related penalties or data-related compensating.

If a breach affects more than 500 individuals then, failure to notify individuals of a data breach could cost a HIPAA violation leading up to a fine of $50,000 per violation If a breach affects more than 500 individuals then, failure to notify individuals of a data breach could cost a HIPAA violation leading up to a fine of $50,000 per violation

Here's what has actually happened in breach-struck areas. Some 15 per cent talked about bad publicity, 15 per cent about lost customers, and there was a 15 per cent league that mentioned greater difficulty in attracting new customers - from what Forrester’s Global Business Technographics Security Survey, 2016 unveiled. Then there was that 12 per cent that lost business partners. Only a sliver of five per cent existed who stated that nothing had changed after a breach.

As Forrester’s Kindervag, Zelonis, and Shey summarily nail here: "You can’t mitigate every risk; at some point you will need to respond quickly to a sudden IT failure or natural disaster such as an earthquake. There’s no set of security controls that will guarantee you won’t suffer a breach. A security breach is inevitable."

Post-breach litigation is, evidently, a massive after-shock. Consider how after the US health insurer Anthem’s breach of 80 million customer records, a US District judge ruled that 'the theft of personal identification information is harm to consumers in itself, regardless of whether any subsequent misuse of it can be proven.' This decision in 2016 scraped away a key defense against class action - that of having to prove injury.

Do you know that almost every US state requires breach notification? In fact, SEC guidelines clearly lay down that material information regarding cybersecurity risks and cyber incidents is has to be disclosed when necessary in order to make other required disclosures. Do you know that almost every US state requires breach notification? In fact, SEC guidelines clearly lay down that material information regarding cybersecurity risks and cyber incidents has to be disclosed when necessary in order to make other required disclosures.

In every sense of the word, what matters is 'How'. How one reacts? Slotting an incident in the right bracket of criteria, mobilising the response team, mitigating the incident, handling compliance and damage-claim related legal minutiae, culling forensic evidence if applicable, and most importantly, restoring the disrupted service, and simultaneously alerting individuals if necessary, would be quite the steps that would decide whether one crumbles or rises back stronger. In either case, do not let go of forensic investigation and get the pulse right on what happened and what is to be done ahead about it in future.

One can also think of sharing the information with others, even competitors, to help the industry as a whole. Like, Blacklists or a pool of ‘sharks here’ caution-stickers that can be helpful for averting catastrophes in future.

If we swing to Forrester’s Global Business Technographics Security Survey, 2016 again - after a breach, 20 per cent decision makers seemed to have increased sharing of threat intelligence with third parties and 18 per cent begun sharing threat intelligence with third parties.

References that hold good for one organization may not be apt for others: Vidit Baxi, Lucideus References that hold good for one organization may not be apt for others: Vidit Baxi, Lucideus

Baxi dismisses the prospect of too many expectations though, except for some general standards and best-practices that are around. "References that hold good for one organisation do not necessarily apply for others, even if they are in the same vertical. IT set-ups, risk management systems, operational and configuration parts as well as strategic postures differ a lot."

Barker spreads this notion on the table of dynamic fire-walls and Clouds again and hopes that agile intelligence could do what such lists are supposed to do – to forewarn and forearm.

Wrap with the sign: Handle with Care

Look at the actual contours of change resulting from a breach.

As assessed by Forrester from an array of 332 global decision-makers responsible for network security at companies that have had a breach, we can unravel that 27 per cent indicated increased spending on threat intelligence capabilities and 26 per cent increased spending on prevention technologies. There were 17 per cent here that considered switching IT auditors and an equal 17 per cent who switched security vendors, service providers.

Respite somewhere? Incident response is 69 pc faster, and repair time 32 pc faster for networks monitored by Dimension Data Respite somewhere? Incident response is 69 pc faster, and repair time 32 pc faster for networks monitored by Dimension Data

Baxi echoes the new shift while he injects some hope. "As we are progressing, the timelines are certainly improving on getting back to business."

Now people invest in correlation tools and forensics- and so much more that was, until a few years back, a redundant expense. Think of ten to 15 years back, as Baxi reminds, and security used to be a dinosaur in the room. "But now cyber-security is even part of the CFO agenda at many enterprises. We should appreciate that people and companies have become increasingly cognizant."

The board-room and mindsets have embraced information security at a strategic level and that is vital; because like Baxi iterates with gravity. "Security just can’t happen in a non-strategic way. Whether it is budgeting, pooling HR, business functions and resources in various capacities – it has to have a strategic tenor."

An untoward IT fiasco can be quite a defining moment if you look at it the way Kindervag, Zelonis, and Shey do.

"Done poorly, and you will generate anger and frustration. But: Done well, your incident response can be an opportunity to demonstrate to customers that you value their privacy, security, and well-being more than you do short-term company profits, generating intense positive emotions that lay the groundwork for a more trusted relationship in the future."

So saddle up and remember what the handsome avenger Tom Hiddleston remarked: 'We all have two lives. The second one starts when we realise that we only have one.'

While you still can, take out time for heeding to what small allergies are telling you in the first one.

Gesundheit!

cyber-attacks testing legalmistakes